Arts patrons nationwide alerted to hacking of ticket sales data

Los Angeles Times photographers document the year in arts and culture.

Mike Boehm

A San Francisco-based online ticketing service that handles sales for hundreds of theaters, concert halls and sports venues nationwide says its records were hacked this spring and that customers should watch their billing statements to make sure intruders haven't rung up fraudulent purchases on their credit cards.

Among the clients of the targeted vendor, Vendini, are the Soka Performing Arts Center and Irvine Barclay Theatre in Orange County. The Soka Center’s general manager, David Palmer, emailed an apology and an explanation to its patrons this week.

Patrons’ emails about the incident have been mixed, he said: “There are people who say 'thank you for keeping us informed, we appreciate you being upfront about it,’ and a number of `how could you dare let this happen’-type emails.”

Karen Drews, spokeswoman for the Irvine Barclay, said officials there are “evaluating” whether there’s a need to communicate further with its online customers, whom Vendini had notified by email late last week.

“If the major banks can be hacked and the federal government can be hacked, that’s the state of life these days,” Drews said. “It’s not fun, and we’re not happy about it.”

Vendini’s public notification, addressed “Dear patron,” said the company had “detected” the breach April 25.

In a filing on the California attorney general’s website posted by Vendini on May 24 -- to comply with a state law mandating public reporting of consumer-data security breaches -- the company said the breach had occurred March 29. The apparent lag time between the breach and its detection was not mentioned in the “Dear patron” letter.

Vendini spokesman Keith Goldberg said in an email that the company delayed notifying customers for a month at the behest of federal law enforcement officials who were investigating the case, emailing the public alerts after investigators had given the go-ahead. He said the company had "no details" on how the investigation was progressing.

Goldberg declined to comment on why it had taken nearly a month to discover the security breach, and would not disclose how many people or venues were affected, saying the company has a policy against making that information public. Past Vendini news releases reported that it had signed up 304 new venues in 2010, and 402 in 2011.

In its public-notification statement, Vendini said that after discovering the breach, “we implemented enhanced security measures designed to prevent a recurrence.” The company advised customers “to review credit card account statements and to monitor credit reports for any unauthorized activity.”

Vendini said that hackers could not have gotten the three-digit security codes on the backs of credit cards because it doesn't collect them, and that ticket buyers' computer passwords or user names were not improperly accessed.

At the Irvine Barclay, Drews said, only one ticket buyer had contacted the theater as of Wednesday, “trying to figure out what’s going on.” She said the 756-seat venue on the UC Irvine campus switched its online ticketing to Vendini from Ticketmaster in 2010, and hadn’t had any previous problems.

Palmer estimated that about 4,000 people have bought tickets online for shows at the 1,034-seat Soka Center at Soka University in Aliso Viejo, with Vendini handling online sales since the venue opened in 2011.

In launching the Soka Center, he said, officials initially had hoped to install online ticketing software called Tessitura, “the Cadillac of ticketing and patron-management systems.” It allows records to be stored in-house, he said, but requires top-level in-house security systems that were not compatible with the university's information technology setup.

The Soka Center turned to vendors who could provide the highest commercial security level -- called Level One PCI-DSS (for Payment Card Industry Data Security Standard) -- while storing data behind special security firewalls on the Internet -- a practice often referred to as "cloud-computing."

About a year ago, the theater publication Stage Directions reported that Vendini was one of a dozen or so “boutique” online ticketing companies “chasing the arts organizations who can’t afford Tessitura. ... Vendini and others have figured out how to mimic the big guys at small-guy prices.”

Another ticket vendor, Gotickets Inc., which carries a limited inventory of its own for specific events at various venues, reported a security breach to the California attorney general in May 2012, saying its online customers’ shipping, billing and credit card data might have been compromised.